Security, DRM, and Sony

When you install software, you understand some of the risks involved. The Sony DRM case feels different. If you want to listen to a music CD, should you be expected to know that this could result in security holes on your system? This week, O'Reilly's audio magazine program Distributing the Future looks at DRM, security, and the Sony case. You'll hear from an interview with Ben Laurie from the Apache Software Foundation and The Bunker Secure Hosting by Intel's Danese Cooper, from a keynote address by Cory Doctorow of the Electronic Frontier Foundation, and from O'Reilly book editor Andy Oram. (DTF 007 beta: 26 minutes, 46 seconds, 12.3MB)

Send feedback on this program to future@oreilly.com or try out a new feature: leave us voice mail. We've signed up with k7 to reserve the U.S. phone number (206) 350-0383 (in Seattle). Leave your feedback on elements from this week's show. Please keep your comments short. We're going to figure out how to incorporate your feedback into the podcast in the future.

Distributing the Future Broadcast Number 007: Show Notes

Show OpenStart: 00:00, Duration: 1:12

The initial montage is from Tim O'Reilly, recorded at OSCON '04 and in a phone interview with Doug Kaye of ITConversations, and is used with permission. "The future is here, it's just not evenly distributed yet" is a quote from author William Gibson that Tim used with attribution. The theme music is composed and performed by David Battino. This week's show is brought to you by MAKE magazine--technology on your time.

How Much Security?Start: 1:12, Duration: 2:58

There is a balance involved in knowing what's a reasonable amount of security or restrictions to impose. Too much and you make the system unusable to authorized users. Ben explains that you have to let users use the software you are protecting. Andy points out that what is different in the Sony case is that users were playing music--not installing software. Cory says that the premise of DRM is flawed. How can you protect a safe that you deliver to the robbers' living room?

Reasonable RestrictionsStart: 4:10, Duration: 4:05

Andy Oram explains that Sony was trying to prevent people from copying their music CDs more than three times. Although this seems reasonable, Andy points out that Sony was taking the law into its own hands. Before you decide whether or not this is acceptable, Cory provides real examples in which allowing content owners to determine rights can have broader implications.

Understanding SecurityStart: 8:15, Duration: 3:35

What are we protecting against, and how? Ben explains the difference between viruses and worms, and Cory gives a history of securing messages you are sending. With DRM, he argues, the intended recipient is treated as the hacker.

Sony's MethodsStart: 11:50, Duration: 2:05

Andy explains that whether or not you agree with Sony's objectives, their methods were suspect. They made changes to Windows and did so in a sloppy way.

Open Vs. ClosedStart: 13:55, Duration: 5:00

For Cory, one of the key issues is that DRM devices prohibit you from altering them. They prohibit the use of open systems. He draws an Eric Raymond analogy from alchemy about why not sharing knowledge is a bad idea. Ben counters with stories of how hackers discover holes. He doesn't think that most hackers find exploits by reading source code.

Applying PatchesStart: 16:50, Duration: 2:55

Once a hole is found and patched, why doesn't everyone immediately install the patches? Ben has first-hand experience with this. He patched Open SSL and noted that a month later, half of the servers had not applied the patch.

The Arms RaceStart: 18:55, Duration: 5:10

Andy explains that Sony had to be intrusive to accomplish their goals. Ben says that often the hackers are punished, and not the people writing the faulty software that the hackers can so easily exploit. Cory says that over-restrictive end-user agreements and DRM policies lead otherwise law-abiding people to break the law so that they can fairly use the content they buy.

Entering AgreementsStart: 24:05, Duration: 1:40

When you buy a CD, you may have to break a seal that somehow binds you to agree to the terms of playing the CD set out by the content owner. But what about when you are at home watching television? When are you entering an agreement with individual content providers who own the different channels? Cory explains that, in the opinion of the entertainment industry, you form an agreement every time you change the channel.

Daniel H. Steinberg
is the editor for the new series of Mac Developer titles for the Pragmatic Programmers. He writes feature articles for Apple's ADC web site and is a regular contributor to Mac Devcenter. He has presented at Apple's Worldwide Developer Conference, MacWorld, MacHack and other Mac developer conferences.